OCC 2003-37
OCC Bulletin
 
Subject:     Interagency Guidance on Response Programs for 
             Unauthorized Access to Customer Information and 
             Customer Notice
Description: Proposed Guidance and Notice of Information Collection

Date:        August 27, 2003

TO:  Chief Executive Officers of All National Banks, Federal 
     Branches and Agencies, Service Providers, Department and 
     Division Heads, and All Examining Personnel

The Comptroller of the Currency, the Board of Governors of the 
Federal Reserve System, Federal Deposit Insurance Corporation, and 
the Office of Thrift Supervision (the Agencies) are requesting 
comment on the attached proposed Interagency Guidance on Response 
Programs for Unauthorized Access to Customer Information and Customer 
Notice.  The proposed Guidance and notice of information collection 
was published in the Federal Register on August 12, 2003.   

The proposed Guidance interprets section 501(b) of the Gramm-Leach-
Bliley Act, which relates to financial institutions’ safeguards to 
protect nonpublic personal information, and provisions of the 
Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information issued and published in the Federal Register 
on February 1, 2001.  The proposed Guidance describes the Agencies’
expectations that a financial institution develop a response program 
to protect against and address reasonably foreseeable risks 
associated with internal and external threats to the security of 
customer information maintained by the financial institution or its 
service provider.  The proposed Guidance describes the components of 
a response program, which includes procedures for notifying 
customers about incidents of unauthorized access to customer 
information that could result in substantial harm or inconvenience 
to the customer.  The proposed Guidance provides that a financial 
institution is expected to expeditiously implement its response 
program to address incidents of unauthorized access to or use of 
customer information.  

In addition, the Agencies invite comment on a proposed notice of 
information collection, as required by the Paperwork Reduction Act 
of 1995 (44 USC 35).  The information collections contained in the 
proposed Guidance would require financial institutions to:

(1) develop notices to customers;  
(2) determine which customers should receive the notices and send 
    the notices to customers; and 
(3) ensure their contracts with their service providers satisfy the 
    proposed Guidance.

For questions concerning this proposed Guidance and information 
collection, contact Aida Plaza Carter, Director, Bank Information 
Technology Operations Division, (202) 874-4740; Clifford A. Wilke, 
Director, Bank Technology Division, (202) 874-5920; Amy Friend, 
Assistant Chief Counsel, (202) 874-5200; or Deborah Katz, Senior 
Counsel, Legislative and Regulatory Activities Division, 
(202) 874-5090.
 


Julie L. Williams		      Emory W. Rushton
First Senior Deputy Comptroller       Chief National Bank Examiner 
and Chief Counsel		      and Senior Deputy Comptroller				


Attachment: 68 FR 47954
[http://www.occ.treas.gov/fr/fedregister/68fr47954.pdf]